AtlasVPN Linux Zero-Day Disconnects Users, Reveals IP Addresses

[EDITOR's NOTE: On Sept. 18, 2023, nearly two weeks after this story posted, AtlasVPN issued a patch for the vulnerability]

A security researcher has published exploit code for AtlasVPN for Linux, which could enable anybody to disconnect a user and reveal their IP address simply by luring them to a website.

AtlasVPN is a "freemium" virtual private network (VPN) service owned by NordVPN. Despite being just 4 years old, according to its website, it's used by more than 6 million people worldwide.

On Sept. 1, after receiving no response from the vendor, an unidentified researcher (referred to by their Full Disclosure mailing list username, "icudar") posted exploit code for AtlasVPN Linux to the Full Disclosure mailing list and Reddit. By simply copying and pasting this code to their own site, any odd hacker could disconnect any AtlasVPN user from their private network, and reveal their IP address in the process.

"Since the entire purpose of the VPN is to mask this information, this is a pretty significant problem for users," says Shawn Surber, senior director of technical account management at Tanium.

How the AtlasVPN Exploit Works

The issue with AtlasVPN's Linux client boils down to a lack of proper authentication.

"The client does not connect via a local socket or any other secure means but instead it opens an API on localhost on port 8076. It does not have ANY authentication," icudar wrote in his online posts. "This port can be accessed by ANY program running on the computer, including the browser."

Surber guesses that "this vulnerability appears to be caused by the assumption that Cross-Origin Resource Sharing (CORS) protection would prevent it." CORS is a mechanism by which one domain can request resources from another.

As other researchers have pointed out, though, the exploit easily slips past CORS by sending a type of request it does not flag. "CORS is designed to prevent data theft and loading of outside resources. In this scenario, the attack uses a simple command, which slips through the CORS gauntlet and, in this case, turns off the VPN, immediately exposing the user's IP and therefore general location," Surber explains.

What This Means for VPN Users

To test the extent of the vulnerability, icudar wrote malicious JavaScript that would request port 8076 and successfully disconnect the VPN, then request to leak the user's IP address.

"It shows that AtlasVPN does not take their [users'] safety serious, because their software security decisions suck so massively that [it's] hard to believe this is a bug rather than a backdoor," they wrote.

There is no evidence yet of AtlusVPN's vulnerability being exploited in the wild. In a response via Reddit, the head of the IT department at AtlusVPN wrote that the company is fixing the issue, will notify all Linux client users, and release a patch "as soon as possible."

In a written statement for Dark Reading, AtlusVPN could not provide an exact timeline for its patch but assured that "we are actively working on fixing the vulnerability as soon as possible."